Tag Archives: survey

A new study was released by Branden Williams and the Merchants Acquirer Committee (MAC), and it is worth a read. One aspect that jumped to me is the percentage of compliance vs compliant rates shared in the study. The difference here is those who have represented being PCI Compliant through Attestations of Compliance (AOC) vs. those who have had their programs pressure tested by the criminals of the world, and been found wanting.

Here is the snippet from PCI GURU that highlights this state of discrepancy:

The biggest finding of the study and what most people are pointing to is the low compliance percentages across the MAC members’ merchants. Level 1, 2 and 3 merchants are only compliant around 67% to 69% of the time during their assessments. However, most troubling is that Level 4 merchants are only 39% compliant.

Depending on the merchant level, these figures are not even close to what Visa last reported back in 2011. Back then, Visa was stating that 98% of Level 1 merchants were reported as compliant. Level 2 merchants were reported to be at 91% compliance. Level 3 merchants were reported at 57% compliance. As is Visa’s practice, it only reported that Level 4 merchants were at a “moderate” level of compliance.

Board of Directors, CISO, and legal should all care deeply that PCI (and of course and certainly other contractual agreements) security is achieved honestly. To often organizations view this like registering a car with the government. This is far to complex and impactful to people within and outside a given business. The cyber economic connections between proper, efficient, and effective security all lend to better products in the market and more focus on what the business is driving towards.

Is your program honestly secure and fully addressing these least practice principles?

The 2010 survey is complete and I have dug through and have the following thoughts to offer. First off though – thank you to Symantec for making the information so readily available. They have provided the slides via slideshare, the PDF report, and the press release. My efforts below are not to reproduce the report, but instead to carry the ideas and findings one step further. In addition, my hopeful final goal is to challenge the report and certain aspects of the findings in the spirit of relative context.

“Enterprise security is IT’s top concern” – when compared to the other options listed in the survey I do not find this impressive, as digital threats are the most direct concerns. On page 5 of the report though the detail about 94% of businesses expect to change their cyber security efforts and 48% are planning major changes is impressive. That highlights the intelligent repositioning of enterprises and the continued focus on remaining engaged with the threats and not passive. This also likely has correlation to businesses increased focus on deploying greater information technology throughout the business, and throughout the expanding consumer / business markets. Major changes are a natural result in these cases.

“Enterprises experiencing frequent attacks” – 75% of business experienced a cyber attack within the past 12 months is a significant figure. If a cyber attack is considered an event that “activates” the incident response teams and / or forensic groups that is a significant cost and concern. Attacks, as every firewall administrator and Grandmother who gets a virus, occur non-stop online, so it is important to qualify and scale these attacks by crtiicality. This is an important fact in the survey, but more important in the enterprise. The help desk of most organizations is ably suited to respond to malware infections and queuing systems for remote desktop configuration refreshes. For situations that involve a lose of trust for a specific system resulting from extended malware infection, odd behavior, or log evidence of unauthorized access – these systems should activate the appropriate resources to address these risks directly.

Most problematic IT initiatives from a Security standpoint:

Infrastructure-as-a-Service

Platform-as-a-Service

Server Virtualization

Endpoint virtualization

Software-as-a-Service

The common thread of these initiatives is the abstract nature of the actual computing system. Whether virtual or processed within a distributed computing environment the necessity to translate information security safeguards is not automatic. In fact, most conversions into these initiatives highlights the inherent weaknesses that are present in the existing infrastructure, but were addressed through compensated / ad-hoc controls. Therefore, while difficult the net risk posture will improve. Another perspective is the organizational shift that occurs when network/system operators become service delivery specialists. This cultural swing away from computing system management to application procurement and service management requires careful attention, training, and tight feedback cycles.

The report concludes with some strategic recommendations that are worth reviewing and confirming are currently in operation.

Overall the statistics and findings are in-line with concerns and challenges enterprises have been addressing last year. The survey provides a nice update and is certainly useful. As in any survey, consider the source and recognize that your environment is unique. Such individuality of computing systems by its very nature requires a custom and reflective approach to managing risk and security within the organization.